User guide

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare Enterprise Manager

311

312

313

314

315

316

317

318

319

320

XTREME

ARE

OFTWARE

SER

UIDE

16-21

SING

OUTING

CCESS

OLICIES

In addition, if the administrator wants to restrict any user belonging to the VLAN

Engsvrs from reaching the VLAN Sales (IP address 10.2.1.0/24) , the additional access

policy commands to build the access policy would be as follows:

create access-profile nosales ipaddress

config access-profile nosales mode deny

config access-profile nosales add 10.2.1.0/24

config rip vlan backbone import-filter nosales

This configuration results in the switch having no route back to the VLAN Sales.

OUTING

CCESS

OLICIES

FOR

OSPF

Because OSPF is a link-state protocol, the access policies associated with OSPF are

different in nature than those associated with RIP. Access policies for OSPF are intended

to extend the existing filtering and security capabilities of OSPF (for example, link

authentication and the use of IP address ranges). If you are using the OSPF protocol, the

switch can be configured to use an access profile to determine any of the following:

• Inter-area Filter — For switches configured to support multiple OSPF areas (an ABR

function), an access profile can be applied to an OSPF area that filters a set of OSPF

inter-area routes from being sourced from any other areas. To configure an inter-area

filter policy, use the following command:

config ospf area <area_id> interarea-filter [<access_profile> | none]

• External Filter — For switches configured to support multiple OSPF areas (an ABR

function), an access profile can be applied to an OSPF area that filters a set of OSPF

external routes from being advertised into that area. To configure an external filter

policy, use the following command:

config ospf area <area_id> external-filter [<access_profile> | none]

If any of the external routes specified in the filter have already been advertised,

those routes will remain until the associated LSAs in that area time-out.

• ASBR Filter — For switches configured to support RIP and static route

re-distribution into OSPF, an access profile can be used to limit the routes that are

advertised into OSPF for the switch as a whole. To configure an ASBR filter policy,

use the following command:

config ospf asbr-filter [<access_profile> | none]

• Direct Filter — For switches configured to support direct route re-distribution into

OSPF, an access profile can be used to limit the routes that are advertised into OSPF